question

MasterControl007-3518 avatar image
0 Votes"
MasterControl007-3518 asked vipulsparsh-MSFT answered

Sentinel Analytics Rule Template: TI map Domain entity to DnsEvent

Anyone have got this analytics rule template up and running?

Connected Data sources:
TI platform
Dns Analytics

These are working properly and tested. I have matched dns domain translations for domain IOCs with timestamps in the specified time range but these are not matched by the analytics rule.

I am struggling with the kusto rule query. It's not returning any results whereas I have confirmed to have valid dnsevent logs and threat intelligence logs that match. It's just that the query can't match them. I'm trying to deconstruct the rule query and certain parts execute fine when isolating certain parts of the query.

Anyone can help me how to troubleshoot this further?

 let dt_lookBack = 8h;
 let ioc_lookBack = 15d;
 //Create a list of TLDs in our threat feed for later validation
 let list_tlds = ThreatIntelligenceIndicator
     | where TimeGenerated > ago(ioc_lookBack)
     | where isnotempty(DomainName)
     | extend parts = split(DomainName, '.')
     | extend tld = parts[(array_length(parts) - 1)]
     | summarize count() by tostring(tld)
     | summarize make_list(tld);
 ThreatIntelligenceIndicator
 | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
 | where Active == true
 // Picking up only IOC's that contain the entities we want
 | where isnotempty(DomainName)
 | join (
     DnsEvents
     | where TimeGenerated > ago(dt_lookBack)
     //Extract domain patterns from syslog message
     | where isnotempty(Name)
     | extend parts = split(Name, '.')
     //Split out the TLD
     | extend tld = parts[(array_length(parts) - 1)]
     //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed
     | where tld in~ (list_tlds)
     | extend DNS_TimeGenerated = TimeGenerated
     )
     on $left.DomainName == $right.Name
 | where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime
 | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
 | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType
 | extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url


microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@MasterControl007-3518 I do not have such data set available in my setup hence I cant run your query to understand which part works and which does not.

Can you share more information about which query parts work for you and adding which statements returns void.
Are you having issues after you join the tables ? and individual tables works fine like ThreatIntelligenceIndicator and DnsEvents

This article talks about how to utilize join operator efficiently with Kusto : https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-correlation-rules-the-join-kql-operator/ba-p/1041500

Here are few examples for this and other Join flavors : https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/joinoperator?pivots=azuredataexplorer#example



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.